Boing Boinghttp://boingboing.net
Brain candy for Happy MutantsFri, 09 Dec 2016 15:12:21 +0000en-UShourly1https://wordpress.org/?v=4.6.187954168How SOPA will destroy Internet securityhttp://boingboing.net/2011/12/17/how-sopa-will-destroy-internet.html
http://boingboing.net/2011/12/17/how-sopa-will-destroy-internet.html#commentsSat, 17 Dec 2011 22:33:45 +0000http://boingboing.net/?p=134804
Last week's SOPA hearings were punctuated by facepalming moments in which learned members of the House Judiciary Committee dismissed the distinguished engineers who say the bill weakens Internet security. They said things like, "I'm no nerd, but I just don't believe it."

Well, you don't have to be a "nerd" to understand a) what DNSSEC is; b) why we desperately need it (or something like it) before the Internet collapses along with the creaking public key infrastructure; and c) how the insanity in SOPA will tank that effort. Stewart Baker at the Volokh Conspiracy lays it out in small, easy-to-understand words.

Unfortunately, the things a browser does to bypass a criminal site will also defeat SOPA’s scheme for blocking pirate sites. SOPA envisions the AG telling ISPs to block the address of www.piracy.com. So the browsers get no information about www.piracy.com from the ISP’s DNS server. Faced with silence from that server, the browser will go into fraud-prevention mode, casting about to find another DNS server that can give it the address. Eventually, it will find a server in, say, Canada. Free from the Attorney’ General’s jurisdiction, the server will provide a signed address for piracy.com, and the browser will take its user to the authenticated site.

That’s what the browser should do if it’s dealing with a hijacked DNS server. But browser code can’t tell the Attorney General from a hijacker, so it will end up treating them both the same. And from the AG’s point of view, the browser’s efforts to find an authoritative DNS server will look like a deliberate effort to evade his blocking order.

The latest version of SOPA will feed that view. It allows the AG to sue “any entity that knowingly and willfully provides …a product … designed by such entity or by another in concert with such entity for the circumvention or bypassing of” the AG’s blocking orders.

Well, you don't have to be a "nerd" to understand a) what DNSSEC is; b) why we desperately need it (or something like it) before the Internet collapses along with the creaking public key infrastructure; and c) how the insanity in SOPA will tank that effort. Stewart Baker at the Volokh Conspiracy lays it out in small, easy-to-understand words.

Unfortunately, the things a browser does to bypass a criminal site will also defeat SOPA’s scheme for blocking pirate sites. SOPA envisions the AG telling ISPs to block the address of www.piracy.com. So the browsers get no information about www.piracy.com from the ISP’s DNS server. Faced with silence from that server, the browser will go into fraud-prevention mode, casting about to find another DNS server that can give it the address. Eventually, it will find a server in, say, Canada. Free from the Attorney’ General’s jurisdiction, the server will provide a signed address for piracy.com, and the browser will take its user to the authenticated site.

That’s what the browser should do if it’s dealing with a hijacked DNS server. But browser code can’t tell the Attorney General from a hijacker, so it will end up treating them both the same. And from the AG’s point of view, the browser’s efforts to find an authoritative DNS server will look like a deliberate effort to evade his blocking order.

The latest version of SOPA will feed that view. It allows the AG to sue “any entity that knowingly and willfully provides …a product … designed by such entity or by another in concert with such entity for the circumvention or bypassing of” the AG’s blocking orders.